lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200804221356.15748.rgetz@blackfin.uclinux.org>
Date:	Tue, 22 Apr 2008 13:56:15 -0400
From:	Robin Getz <rgetz@...ckfin.uclinux.org>
To:	"Greg Ungerer" <gerg@...pgear.com>
Cc:	linux-kernel@...r.kernel.org,
	"David Howells" <dhowells@...hat.com>,
	Bryan Wu <bryan.wu@...log.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"Hennerich, Michael" <Michael.Hennerich@...log.com>
Subject: [PATCH] mm/nommu.c - return 0 from kobjsize with invalid objects

From: Michael Hennerich <Michael.Hennerich@...log.com>

Don't perform kobjsize operations on objects the kernel doesn't manage.

Signed-off-by: Michael Hennerich <Michael.Hennerich@...log.com>
Signed-off-by: Robin Getz <rgetz@...ckfin.uclinux.org>

---
On Blackfin, drivers can get dma coherent memory by calling a function
dma_alloc_coherent(). We do this in nommu by configuring a chunk of uncached
memory at the top of memory.

Since we don't want the kernel to use the uncached memory, we lie to the
kernel, and tell it that it's max memory is between 0, and the start of the
uncached dma coherent section.

this all works well, until this memory gets exposed into userspace (with a
frame buffer), when you look at the process's maps, it shows the framebuf:

root:/proc> cat maps
[snip]
03f0ef00-03f34700 rw-p 00000000 1f:00 192        /dev/fb0
root:/proc>

This is outside the "normal" range for the kernel. When the kernel tries to
find the size of this object (when you run ps), it dies in nommu.c in
kobjsize.

BUG_ON(page->index >= MAX_ORDER);

since the page we are referring to is outside what the kernel thinks is it's
max valid memory.

root:~> while [ 1 ]; ps > /dev/null; done
kernel BUG at mm/nommu.c:119!
Kernel panic - not syncing: BUG!

We fixed this by adding a check to reject out of range object pointers as it
already does that for NULL pointers.

----

--- linux/mm/nommu.c	2008-04-16 21:00:20.000000000 -0400
+++ linux/mm/nommu.c	2008-04-22 13:39:04.000000000 -0400
@@ -105,7 +106,11 @@
 {
 	struct page *page;
 
-	if (!objp || !((page = virt_to_page(objp))))
+	/*
+	 * If the object we have should not have ksize performed on it,
+	 * return size of 0
+	 */
+	if (!objp || !((page = virt_to_page(objp))) || (unsigned long)objp >= memory_end)
 		return 0;
 
 	if (PageSlab(page))
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ